In July 2014 and February 2015 we warned about fraudsters targeting law firms client accounts, especially on Friday afternoons. In an effort to keep ahead, fraudsters have added a new weapon to their attack, which the National Fraud Intelligence Bureau is calling "invoice hijacking".
This scam involves the fraudster intercepting correspondence between two parties who have an existing contractual relationship, and "invoicing" the target for services that have actually been rendered. Solicitors are a particular target for this scam, for the usual reasons.
One sophisticated example we have just seen involved a conveyancing transaction. A deposit for a property was being paid in tranches, which the solicitor was holding on account for the client. The client received an email purporting to be from his solicitor, asking that the funds be transferred to a separate account, due to a limit being reached. The fraudster provided details of a new account, to which the client sent the remaining deposit. The email account the fraudster had set up was similar enough to fool the client, but was not from his solicitor. As the original email had been from the fraudster to the client, either the client or the solicitor's email account must have been hacked, with each party suggesting the fault must lie with the other. In this case, the client had enough private funds to cover the sum stolen, allowing the transaction to complete, however it remains to be proven where any liability may lie. If the client had not been able to complete, there could have been considerable losses down a whole conveyancing chain.
To reduce the likelihood of your firm becoming involved in this type of fraud, you should:
- Keep your firm's anti-virus software up to date
- Inform your clients never to send funds to a new account without calling the office and speaking to the relevant fee-earner first
- Tell your clients that they should always query emails supposedly received from their solicitor, but which are actually from a different email address, particularly if the domain name is different
Finally, if you are a victim of fraud you must immediately contact:
- Your bank
- The police
- You brokers/insurers
- Your regulator
Taking immediate action may help to reduce the scale of this fraud.